No time like migration for cybersecurity

By Jim Montague

Jun 12, 2019

Don’t put off adding cybersecurity until tomorrow if you're migrating process controls today. Admittedly, cybersecurity is a daunting endeavor that can be difficult for even the largest and most capable organization to approach; and migration projects are already stressful enough without voluntarily throwing in the cybersecurity monkey wrench.

"Talking about cybersecurity and transitioning to it takes time and requires specialized skill sets, but the main question users have now is: 'Where do I start?'" said Mike Spear, director of global security consulting and operations at Honeywell Process Solutions, and part of a panel of experts from Georgia-Pacific and Honeywell, who detailed their experiences and best practices for cybersecurity during Honeywell Users Group Americas 2019 this week in Dallas. "Cybersecurity is still a big, wide topic, so education is needed, and we're developing more tools and models for it. There's no magic answer, but we're all making progress."

Jarmo Salminen, director of process control engineering at Georgia-Pacific, added, "Today, we wouldn't put in any information technology (IT) systems without cybersecurity, so why should we put in process controls without cybersecurity?"

Though it's a relatively short window, the period when controls are upgraded or replaced can be the perfect time to build in better cybersecurity measures that can protect process applications and systems from ever-evolving cyber probes, intrusions, threats and attacks.

"We're all so dependent on technology in general, and this has extended to process control systems, as well. As a result, when the pace of cyber attacks increases, control systems are more subject to them, as well," said Donovan Tindill, senior security consultant at Honeywell, who provided context and an introduction for the panel. "However, the risk to process applications is more serious because, while a cyber incident on the IT side can mean the loss of confidentiality and data, the same intrusion or attack on a process application can mean a loss of control, damage to assets and risks to the health of personnel or the community. This is why cybersecurity on the operations technology (OT) side must be part of the process safety effort, as well.

"Cybersecurity must be part of any technology conversation, change or upgrade, just as safety is part of any construction conversation,” continued Tindill. “Security is synonymous with reliability, and those who prioritize cybersecurity will have a competitive advantage."

Securing opportunities

Integrating cybersecurity with migration can help users to take advantage of opportunities, added Tindill, so they can benefit from:

  • Improved management-of-change (MOC) tasks, such as creating cybersecurity checklists, enhancing controls access, adding security features and setting up proven baselines to help users follow up on incident responses;
  • Better design and engineering processes and procedures, such as assessing risk, selecting secure products, designing for security, secure implementation and testing, vulnerability scans and penetration testing and complying with policies and regulations;
  • Reduced number of unplanned outages with critical-patch queuing, improved reboot performance and the ability to trace whether an outage is cybersecurity-related; and,
  • Planned outages with better controller changes, major reboots, architectural changes and critical password changes.

"A lot of enhancements can be done before a revamped or new control system goes live," said Tindill. "All these opportunities are where we can improve cybersecurity, but some other factors need to change to keep users ahead of cyber threats."

Convincing people

Just as migrations must be justified before they're funded, designed and specified, adding cybersecurity must clear the same hurdles, although it probably won't be easy.

"It appears that industry is continuing to exclude cybersecurity because research statistics show that more than 1,700 upgrade projects were completed worldwide in 2017 and 2018, but only 12% of them included any cybersecurity scope," added Tindill. "Likewise, more than 1,400 upgrades were planned for 2019, but only 8% of global customer-quote requests specified any cybersecurity scope.

"If end users don't integrate cybersecurity with their migrations, they could miss out on designing their systems to better handle patches or conduct multiple security tests before operations begin," added Tindill. "Migration is the time to make these changes."

Encouraging approaches

Given the challenges of learning about and understanding the rapidly evolving nature of cybersecurity, the panel reported on a range of options for integrating it into individual process applications.

"It definitely helps to begin with a risk assessment because it's not as scary as trying to start with penetration testing," said Mark Littlejohn, director of global managed security services at Honeywell Process Solutions.

Tindill added the main reason many users start a security assessment and begin to consider adopting cybersecurity is because they must. "It's typically in response to an incident in the organization or to a neighbor, or to resolve an external assessment or compliance issue," he added.

"The result of a cybersecurity assessment is a roadmap, which can be extremely helpful," said Spear. "Users also learn the biggest vulnerabilities can come from inside their own four walls. In addition, they learn that North America is still very immature when it comes to cybersecurity because we haven't addressed many of the basics. It's actually less important to worry about China and Iran, and more important to worry about Bob in the plant."

Fortunately, because even a typical DCS migration requires lots of preplanning, adding a cybersecurity assessment is a good idea, even if it's not initially easy, explained Owen Sillett, manager of Honeywell's Global Migration Center of Excellence. "When I talk with users about DCS and networking, many say they only focus on the DCS, while 'those guys over there' do the network and they just observe it," explained Sillett.

Get news like this in your inbox. Sign up for the Control Update newsletter.